I'm a technology, privacy, and information security reporter and most recently the author of the book This Machine Kills Secrets, a chronicle of the history and future of information leaks, from the Pentagon Papers to WikiLeaks and beyond.
I've covered the hacker beat for Forbes since 2007, with frequent detours into digital miscellania like switches, servers, supercomputers, search, e-books, online censorship, robots, and China. My favorite stories are the ones where non-fiction resembles science fiction. My favorite sources usually have the word "research" in their titles.
Since I joined Forbes, this job has taken me from an autonomous car race in the California desert all the way to Beijing, where I wrote the first English-language cover story on the Chinese search billionaire Robin Li for Forbes Asia. Black hats, white hats, cyborgs, cyberspies, idiot savants and even CEOs are welcome to email me at agreenberg (at) forbes.com. My PGP public key can be found here.

Pull out your credit card and flip it over. If the back is marked with the words “PayPass,” “Blink,” that triangle of nested arcs that serves as the universal symbol for wireless data or a few other obscure icons, Kristin Paget says it’s vulnerable to an uber-stealthy form of pickpocketing. As she showed on a Washington D.C. stage Saturday, she can read all the data she needs to make a fraudulent transaction off that card with just a few hundred dollars worth of equipment, and do it invisibly through your wallet, purse, or pocket.

At the Shmoocon hacker conference, Paget aimed to indisputably prove what hackers have long known and the payment card industry has repeatedly downplayed and denied: That RFID-enabled credit card data can be easily, cheaply, and undetectably stolen and used for fraudulent transactions. With a Vivotech RFID credit card reader she bought on eBay for $50, Paget wirelessly read a volunteer’s credit card onstage and obtained the card’s number and expiration date, along with the one-time CVV number used by contactless cards to authenticate payments. A second later, she used a $300 card-magnetizing tool to encode that data onto a blank card. And then, with a Square attachment for the iPhone that allows anyone to swipe a card and receive payments, she paid herself $15 of the volunteer’s money with the counterfeit card she’d just created. (She also handed the volunteer a twenty dollar bill, essentially selling the bill on stage for $15 to avoid any charges of illegal fraud.)

Paget magnetizing a counterfeit card with a volunteer’s wirelessly-stolen credit card data on stage at Shmoocon. (Click to enlarge.)

If anyone still doubted that the trick had worked, Paget accidentally flashed the volunteer’s credit card number on a screen in front of an audience of hundreds of hackers and security researchers. “You were planning on cancelling that card, weren’t you?” she added somewhat sheepishly.

Contactless cards are far more common than they might seem: According to the Smart Card Association, about 100 million of the RFID-enabled cards are in circulation. Visa calls its technology payWave, MasterCard dubs it PayPass, Discover brands it Zip, and American Express calls it ExpressPay. According to a show of hands among Shmoocon’s audience, dozens of the several hundred conference attendees in the room had contactless cards, and about a quarter of those weren’t aware of it until Paget asked them pull out their cards and check for contactless symbols.

Paget, a well-known security researcher for the consultancy Recursion Ventures who was known as Christopher Paget until a gender change last May, used a simple method for her hack: impersonating a legitimate contactless point-of-sale terminal with her own RFID card reader. (That’s the striped panel pictured above.) In one practical version of the scam, Paget says, a fraudster could simply bump up against his victim with that reader in a coat pocket and invisibly scan the RFID signal through material like a leather wallet or cloth pants. In a demonstration just before her talk, Paget read a card in my wallet through my back pocket without touching me, successfully obtaining the card’s information.

The scheme, Paget points out, doesn’t involve any hidden bug in the system, but rather the more fundamental problem that any commercially-available RFID reader can read the data from a contactless card as easily as a store’s point-of-sale device does. “Whatever encryption or other security there might be, it doesn’t matter,” she says. “The reader just spits out the number as if I’m the point-of-sales terminal, which is totally stupid. This is an embarrassingly simple hack, but it works.”

The attack Paget demonstrated is far from new. The security industry has known since 2006 that contactless credit cards can be read wirelessly without the owner’s knowledge. But in current versions of the cards, the user’s name, PIN and the three-digit CVV on the back of the card aren’t included in the wirelessly-read information, which the industry has argued means the attack isn’t practical.

Randy Vanderhoof, executive director of the industry group the Smart Card Alliance, points out that despite previous research on the contactless attack, no real-world instances of the fraud have ever been reported. “We’ve got six years of history, a hundred million users of these cards, and we haven’t seen any documented cases of this kind of fraudulent transaction. The reason we think that’s the case is that it’s very difficult to monetize this as a criminal,” says Vanderhoof. “The premise that this is a new threat is absolutely false and isn’t supported by [Paget's] demonstration.”

In fact, contactless cards do offer one security feature traditional cards don’t: Along with the card’s 16-digit number and expiration date, the cards are set to offer up a one-time CVV code with every scan. Those codes can only be used for one transaction, and have to used in the order they’re generated. If a payment processor detects multiple transactions with the same code or even codes being used to make transactions in the wrong order, it will disable the card. So a contactless card scammer can only use each stolen number once, and if the victim of a the scam uses the card again before the thief has time to make a fraudulent payment, all transactions on the card will be blocked.

“The truth is that consumers should be embracing this technology because it’s making them safer,” says Vanderhoof. “Efforts to try to discredit the use of chip technology in cards is only making the users of the existing technology more vulnerable.”

But Paget says that rotating one-time CVV only means a fraudster would need to target multiple victims rather than defraud a single victim repeatedly. The scammer could stand in a crowded train station, for instance, reading the card numbers of many passers-by and sending them to an accomplice who carried out the rest of the scheme in real-time. “Instead of one person seeing many fraudulent transactions on their card, fifty people see one transaction on their statement, and maybe they don’t even notice it,” she says. ”The card industry says this isn’t possible, but the information they’re giving you isn’t complete. I needed me to get up on stage and prove it so they would accept that the problems are real.”

And now how to solve those problems? Perhaps the simplest solution, Paget advises, is to kill your card’s RFID chip by frying it in the microwave. But that’s a more delicate task than it might seem. “Three seconds in the microwave will kill the chip,” she says. “Five seconds will set it on fire.”

Paget’s firm has been working on a more sophisticated fix: a credit-card-shaped protection device known as GuardBunny that sits in a wallet alongside payment cards and blocks any would-be RFID fraudster. Paget says the device, which remains a prototype and still has no roadmap for commercial sale, blocks RFID signals far more effectively than any currently-available RFID-shielding wallet. Commercially-available RFID blockers simply shield cards or passports with a layer of aluminum or steel. Guardbunny, by contrast, reflects back the reader’s RFID signal with its own chip, effectively jamming the radio signal. That technique means even high-powered RFID readers would likely fail to pick up any credit card signals nearby. “It doesn’t matter how much power you put into it, it just bounces it back at you,” Paget says.

Paget admits that certain high-level attacks could get around even the Guardbunny’s protections. “You can defeat this. But it involves building your own reader,” she says. “That’s a lot more to demand of the bad guys than spending $50 on eBay.”

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

Comments

I find the he said part of the obligatory she said/he said reporting a bit weak. It’s basic spin, doesn’t address the issues, and hides behind “we haven’t seen documented cases” — as if scammers would provide written reports. Except that now they have a publicly documented case. And still he denies.

It is good to recall that the payment industry doesn’t actually go for “security”. What they offer entirely hinges on you getting back your money should you get scammed. This costs either them, or more likely the retailer, but in the end they’re all businesses so the cost gets spread out over everyone that does business with them.

That is why time and again they choose to downplay, to spin, to ignore. The technology only gets an upgrade when the old stuff starts to cost too much. But since upgrading costs a lot, too, statements of the obvious like this one here are entirely unwelcome. Even if the shinier newer stuff turns out to be more vulnerable than the previous generation, as here.

Oh, and recall passports now are equipped with the same type of contactless smart card. Come see the future, the sheer possibilities.

To be fair, I think Vanderhoof has a point: Billions of dollars in fraud already occur annually with traditional credit cards. Contactless cards’ one-time use CVVs are a good idea, and could eventually force fraudsters to adapt. Unfortunately, they may just adapt to the kind of scam Paget has laid out here.

The problem is with Vanderhoof’s statement that, “Efforts to try to discredit the use of chip technology in cards is only making the technology more vulnerable.” This is akin to saying that locks are more vulnerable if you pick them. In a children’s fable sort of way, it’s also like saying you’re more naked if somebody says that you don’t have clothes on.

Adoption of this compromise technique has a very low degree of required sophistication. While there it an upside that codes must be used in order (and thus must be used between the time of capture and the next legitimate transaction), the barrier presented by that is far lower than the technology in the cards is capable of providing us with. It’s a big self-pat on the back for saying, “We’ve limited the time a stolen card can be useful,” in the face of having room for doing far better.

As a security consultant, radio hacker, and the person in that photo whose card was cloned without physical contact, I can say that there’s very little standing in the way of going shopping by riding the subway. The greatest preventing factor for that happening on a large scale is likely the fact that card numbers are easily found in so many other places.

Vanderhoof contacted me to tell me that I’d misquoted him on the quote that you reference.

To be sure that I’m getting his argument across, I’ve since changed it at his request to read “Efforts to try to discredit the use of chip technology in cards is only making the users of the existing technology more vulnerable.”

So he’s arguing that discrediting the new technology (contactless cards) leaves users vulnerable because they’re stuck with the old, less-secure cards. Not that talking about vulnerabilities in the new cards makes them more vulnerable.

This is a point that I addressed directly during my talk. On one hand RFID has indeed made credit cards more secure, such as the fact that card data is only good for a single transaction. On the other hand, there’s several ways that RFID has made credit cards less secure, primary among them being that cards can now be read and charged by bad guys without them leaving your pocket.

My argument is that calling contactless cards “more secure” than magstripe is inaccurate. “Differently secure” is probably better, since it changes the fraud vectors, exploitation techniques, and defences required. NFC changes things again (since the transponder can be disabled) but then introduces other potential issues, such as malware on phones. Whether or not RFID is more secure than magstripe is debatable, and certainly not clean-cut.

I’d also argue that the quotes about not seeing RFID credit card fraud are again inaccurate. Just because you haven’t seen something doesn’t mean it’s not happening; given that I demonstrated it live on-stage these companies _have_ now seen it. Ask Mr Ferland if he’s ever fallen “victim” to RFID credit card fraud.

The JCOP cards used in credit cards are an amazing technology, with truly magnificent capabilities. They certainly do have the potential to make our payment infrastructure far more secure, but presently they fail to do so owing to their need to integrate into legacy payment systems. To be clear, I’m not advocating the removal of RFID from payment systems, but you cannot possibly start to fix things if vendors don’t accept that there’s anything wrong. I (and many other researchers) are keen to improve this system and fix the flaws that have been identified, but while Mr Vanderhoof (and the Mastercard employee below) keep repeating that everything is fine we are completely prevented from doing so. _That_ was the point of my demo – providing irrefutable proof that RFID credit card fraud _is_ possible, so that hopefully we can now move the debate forward into fixing the problems rather than just sweeping them under the rug. As others have pointed out I’m not the first to talk about problems with RFID payment systems, and as long as the industry position remains the same I won’t be the last either. Mr Vanderhoof now has proof of vulnerability in RFID payment systems following my demo, if he’s interested in talking about how to fix these issues I’d be happy to work with him to do so.

Since the RFID cards do not transmit your name or billing address nor the CVC code, I’d be more interested in why the Square device actually processed the card transaction! Seeing as you cannot form a valid Track 1 by “skimming” or “reading” these new RFID cards, how was Track 1 encoded in order for the Square device to read it? Was only Track 2 used? Were any of the tracks formed properly? What about using this online? It shouldn’t be possible.

I’m a security professional in the payments space and it’s nice to see a real live demonstration documented in the mainstream media, but you can go back several years and see similar demonstrations. There was even an academic paper out of Boston with RSA several years ago. The other commenter is correct, the issuers and brands deflect and ignore even though there are real skimming issues here. But the reality is that you are much more likely to get your card data skimmed out of a gas pump that’s been attacked than you are from a RFID open air attack. And at the pump they even get your PIN (if you are foolish enough to use it) and then they just empty your bank account (again if you are foolish enough to have used a debit card). There are more pressing security issues in payments than RFID skimming.